Today another similar interesting Facebook hack disclosed by another bug hunter, Roy Castillo. On his blog he explained a new facebook hack method that allows anyone to grab primary emails addresses of billions of Facebook users easily.

Facebook Provides a App Dashboard for creating and managing your Facebook apps, with a range of tools to help you configure, build and debug your Facebook apps.

The flaw exists in App settings, where application admin can add developer's profile also, but if the user is not a verified user, a error messages on page will disclose his primary email address.

Using following mentioned steps, one was able to grab email addresses of all facebook users:

Collect profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/

Create a Facebook Application -> Go to Settings -> Developer Roles and add try to add a Developer profile, if its a valid ID, application will accept that, otherwise a error message will display the email address of that profile.

Where APPLICATION_ID is application ID and VICTIM_UID is numerical id of facebook profiles collected from step 2.

To submit more profiles in bulk:

https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID1&unverified_groups[2][0]=VICTIM_UID2&unverified_groups[3][0]=VICTIM_UID3&unverified_groups[4][0]=VICTIM_UID4&unverified_groups[5][0]=VICTIM_UID5&unverified_groups[6][0]=VICTIM_UID6&unverified_groups[7][0]=VICTIM_UID7&unverified_groups[8][0]=VICTIM_UID8&unverified_groups[9][0]=VICTIM_UID9&unverified_groups[10][0]=VICTIM_UID10and so forth...

This way attacker is able to dump the primary email address of any number of facebook users at once. But was reported to facebook security team by Roy and he is rewarded with $4500 under bug bounty program.